Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Workflows in Dynamic and Restricted Delegation
KTH, School of Computer Science and Communication (CSC), Centres, Centre for High Performance Computing, PDC.
2009 (English)In: 2009 INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY, AND SECURITY (ARES), New York: IEEE , 2009, 17-24 p.Conference paper, Published paper (Refereed)
Abstract [en]

Delegation is a key facility in dynamic, distributed and collaborative environments like e rids and enables an effective use of a wide range of dynamic applications. Traditional delegation frameworks approach a top-down model of delegation for delegating rights from a superior to a subordinate in advance before a delegate starts off a delegated task. However, a top-down model of delegation cannot meet all the requirements of dynamic execution of distributed applications, as in such environments. required access rights for completing a task cannot easily be anticipated in advance. Delegating fewer rights than required for completing a task may cause the task execution to fail while delegating more rights than needed may threaten abuse by malicious parties. It is therefore reasonable and more robust to utilize a mechanism that allows determining and acquiring only required rights and credentials for completing a task, when they are needed. This is what we call an on-demand delegation framework, which realizes a bottom-up delegation model and provides a just-in-time acquisition of rights for a restricted and dynamic delegation. In this paper we elaborate the concept of bottom-up delegation and describe how an on-demand delegation framework can leverage workflows to meet the requirements of the least privileges principle. We also discuss the vital need for dynamic and adaptive scientific workflows to support an on-demand delegation framework. We present three different models or bottom-up delegation, which cover a wide range or usage scenarios in Grids and dynamic collaborative environments. Using a standard RBAC authorization model and a graph-based workflow model (DAG), we define and analyze a formal model of our proposed bottom-up delegation approach.

Place, publisher, year, edition, pages
New York: IEEE , 2009. 17-24 p.
Keyword [en]
Access rights, Authorization model, Collaborative environments, Distributed applications, Dynamic applications, Dynamic execution, Formal model, Graph-based, Just in time, Least privilege, On-Demand, Required rights, Scientific workflows, Task executions, Top down models, Usage scenarios, Work-flows, Workflow models, Management, Security of data
National Category
Computer Science
Identifiers
URN: urn:nbn:se:kth:diva-9933DOI: 10.1109/ARES.2009.92ISI: 000270612000003Scopus ID: 2-s2.0-70349667785ISBN: 978-1-4244-3572-2 (print)OAI: oai:DiVA.org:kth-9933DiVA: diva2:159671
Conference
4th International Conference on Availability, Reliability and Security, Fukuoka Inst Technol, Fukuoka, JAPAN, MAR 16-19, 2009
Note
QC 20100621Available from: 2009-02-09 Created: 2009-02-09 Last updated: 2011-02-24Bibliographically approved
In thesis
1. On-demand Restricted Delegation: A Framework for Dynamic, Context-Aware, Least-Privilege Delegation in Grids
Open this publication in new window or tab >>On-demand Restricted Delegation: A Framework for Dynamic, Context-Aware, Least-Privilege Delegation in Grids
2009 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

In grids, delegation is a key facility that can be used to authenticate and authorize requests on behalf of disconnected users. In current grid systems,delegation is either performed dynamically, in an unrestricted manner, or by a secure but static method. Unfortunately, the former compromises security and the latter cannot satisfy the requirements of dynamic grid application execution. Therefore, development of a delegation framework that enables a restricted and flexible delegation mechanism becomes increasingly urgent as grids are adopted by new communities and grow in size. The main barriers in development of such a mechanism are the requirements for dynamic execution of grid applications, which make it difficult to anticipate required access rights for completing tasks in advance.

Another significant architectural requirement in grids is federated security and trust. A considerable barrier to achieving this is cross-organizational authentication and identification. Organizations participating in Virtual Organizations (VOs) may use different security infrastructures that implement different protocols for authentication and identification; thus, there exists a need to provide an architectural mechanism for lightweight, rapid and interoperable translation of security credentials from an original format to a format understandable by recipients.

This thesis contributes the development of a delegation framework that utilizes a mechanism for determining and acquiring only required rights and credentials for completing a task, when they are needed. This is what we call an on-demand delegation framework that realizes a bottom-up delegation model and provides a just-in-time acquisition of rights for restricted and dynamic delegation.

In this thesis, we further contribute the development of a credential mapping mechanism using off-the-shelf standards and technologies. This mechanism provides support for an on-the-fly exchange of different types of security credentials used by the security mechanisms of existing grids.

Place, publisher, year, edition, pages
Stockholm: Universitetsservice US AB, 2009. xi, 62 p.
Series
Trita-CSC-A, ISSN 1653-5723 ; 2009:01
Keyword
Grid Security, Restricted and Context-Aware Delegation, Delegation Protocol, On-demand Delegation, Dynamic Trust Federation, Grid Interoperability, Credential Mapping
National Category
Computer Science
Identifiers
urn:nbn:se:kth:diva-9930 (URN)978-91-7415-219-7 (ISBN)
Public defence
2009-02-16, Sal F3, Flodis, KTH, Linstedsvägen 26, Stockholm, 13:00 (English)
Opponent
Supervisors
Note
QC 20100622Available from: 2009-02-09 Created: 2009-02-09 Last updated: 2012-02-23Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full textScopus

Search in DiVA

By author/editor
Ahsant, Mehran
By organisation
Centre for High Performance Computing, PDC
Computer Science

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 416 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf